CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E


Results 1 to 3 of 3

Thread: Change interface IP

  1. #1
    Join Date
    Rep Power

    Default Change interface IP

    Hi all,

    I urgently need to change the IP of my external interface of my checkpoint solaris box (is an enforecement module, centrally managed) as the connection it was on has been disconnected, so have a new connection with a new IP range.

    What do I need to do to change the ip, and reset sic on this? (I'm completely new to solaris :( )


  2. #2
    Join Date
    Europe, Germany
    Rep Power

    Default Re: Change interface IP

    A view questions about your setup.

    Since it is central managed, i hope you also have central license.
    Which version of CP and also Solaris?
    If you look into smart dashboard which ip for the gw is used there?
    The internal or the external IP, if internal one no sic reset is needet.

    Does the box do also NAT? then you have to change every object that which is natted behind the old IP space in the rulebase!

    First off all make sure you have direct access (serial/keyboard) to the machine.
    Create a dump/copy of all your routing tables and maybe static arp entries.
    netstat -rn | tee ~/save_routingtable
    arp -an | tee ~/save_arp
    also do not forget the follwing files

    Do you have arp and routing in a startup script? then create a copy and also make new files with the right arp routing (do not replace with the old with the new one now)

    If you have identified all objects routing ... and also have the new setup on a paper (important, never trust your mind if something goes not well since you are new to this OS)
    • If License is local attached and bind to the external IP you have to generate a new on first.
    • If license is at the central management revoke it from the GW (i think this will also reset sic but not sure)

    for a sic rest do the following at NG version
    Configuration Options:
    (1)  Licenses
    (2)  SNMP Extension
    (3)  PKCS#11 Token
    (4)  Random Pool
    (5)  Secure Internal Communication
    (6)  VPNx
    (7)  Enable cluster membership for this gateway
    (8)  Automatic start of Check Point Products
    choose option 1 to see the licenses note the ip
    Host         Expiration  Signature  Features  never       ......     ......
    choose option 5 for the sic reset and later to setup the new trust

    Now we can start to prepare the new IP setup.
    We start at the host to see if everything we do is OK.
    ifconfig qfe0  (if this is the interface, mabe a hme?) inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx
    then check with ifconfig -a
    route add default xxx.xxx.xxx.xxx ( if you got an error do a route delete default before)
    Now try to ping your upstream router and check if you see the router mac with arp -an
    everything OK, change the interface /etc/hostname.qfeN or hmeN and also the entrieys in /etc/defaultrouter /etc/hosts /etc/netmasks

    Now you can try one of the first arp entry for test
    Note the Mac is from your public interface in this notation: 8:0:12:b7:31:7a and the pub keyword is not optional!
    arp -s PublicIP  MAC pub
    check again with arp -an

    now inject all arps and routing in the following scema.
    #arp -s NewPubOpbjectIP MAC.publicIF pub
    #/usr/sbin/route add host NewPubOpbjectIP NatIP
    if this works and you have scripts for this it is time to bring them into the game (modified arp and routing scripts)
    Replace the original one with the new one and fire the scripts up
    check again
    now check all the scripts you have to save if you have to modify something here, the do it now (but keep a copy).
    If you have done everything it is save to reboot to see if routing and arp works. (only if you have direct not remote access like ssh)

    If everything works well you can recreate sic install the new licence and the modified rulebase and the do all checks ...

    Not discribed here changes for remote clients ...

    Hope this helps, but no guaranty maybe I forgot something or if the order is not 100 correct

    good luck

  3. #3
    Join Date
    Rep Power

    Default Re: Change interface IP

    Excellent, thankyou :-)

Similar Threads

  1. change gateway on interface
    By archie100 in forum Installing And Upgrading
    Replies: 2
    Last Post: 2009-01-22, 02:24
  2. Address Interface Change - Need Help!!
    By pviana in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 0
    Last Post: 2008-07-15, 10:21
  3. Change SIC Interface
    By vijayant in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 8
    Last Post: 2008-05-30, 10:55
  4. Gateway Interface IP change
    By jobroco in forum Installing And Upgrading
    Replies: 2
    Last Post: 2007-07-13, 08:53
  5. IP change on interface
    By pop_alex in forum Topology Issues
    Replies: 11
    Last Post: 2006-06-01, 07:29


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts